Storm Worm Being Reduced to a Squall

Rumours of financial schemes surrounding the botnet aside, PC World has an article that should lower the blood pressure of some SysAdmins. The Storm Worm botnet is apparently shrinking. A researcher out of UC San Diego who has been tracking the network has published a report indicating it is now only 10% of its former size. "Some estimates have put Storm at 50 million computers, a number that would give its controllers access to more processing power than the world's most powerful supercomputer. But Enright said that the real story is significantly less terrifying. In July, for example, he said that Storm appeared to have infected about 1.5 million PCs, about 200,000 of which were accessible at any given time. Enright guessed that a total of about 15 million PCs have been infected by Storm in the nine months it has been around, although the vast majority of those have been cleaned up and are no longer part of the Storm network."

Spread of Windows

[Prysorra]

Anyone else think that the rather lax enforcement of Windows piracy is helping to create the possibility of massive botnets?

Just wondering.

Re:Spread of Windows

[Colin+Smith]

Hmmm... Windows as a threat to national security ...

Imagines SWAT teams dodging chairs as they storm Microsoft headquarters to screams of "You'll never take me alive copper!"

Re:Spread of Windows

[sakdoctor]

I'd say enforcement of Windows piracy is the least lax that it has ever been.
WGA raises the barrier of casual copying to lusers who's skill wouldn't have been enough to stop them getting pwned by some virus, and being incorporated into a botnet.

Re:Spread of Windows

[$RANDOMLUSER]

Or possibly it's the lax enforcement of security standards by Redmond programmers? Or the lax attitude of Microsoft about all things not directly related to increased sales and world hegemony?

Re:Spread of Windows

It's probably just that the owner of the network doesn't like the publicity and is moving a good proportion of the nodes to less conspicuous means of communication, or even temporarily deactivating nodes. If the secutiry guys manage to disable the main Storm network, they may find that the parts they disabled are no longer necessary for the hacker.

Re:Spread of Windows

Thats part of the problem. One of the ways they protect against privacy is keeping you from getting updates. This leaves unpatched pirated systems out there. Since there is no real legal threat for the average user the only real motivation for a person to get a legit copy is so they can get security updates easily. Joe Six Pack is just going to borrow that pirated copy of XP his buddy picked up at a flea market. OP brings very valid point

Re:Spread of Windows

[El+Lobo]

Interesting? Ignorant, I would moderate this. Security patches for serious problems like this are always available EVEN for non Genuine windows.

Re:Spread of Windows

[wizardforce]

Anyone else think that the rather lax enforcement of Windows piracy is helping to create the possibility of massive botnets?

no. windows does just fine getting infected by its self, it doesn't need a pirate's help arrrr.

Re:Spread of Windows

[ILuvRamen]

if everyone used Mac OS or a Linux distribution then malware makers would target them. They only target windows cuz it's popular. Come on, everyone knows that.

Re:Spread of Windows

[rustalot42684]

But then SWAT is beaten back by Clippy:
It looks like you're trying to raid the Redmond campus. Would you like to:

• Hunt and kill all the employees
• Destroy the supercomputer cores
• Uncover the secret plot for world domination
• Just raid the campus without help

# Don't show me this tip again

Re:Spread of Windows

[LO0G]

Huh? According to Microsoft they security updates to pirated versions of Windows. Source: (click on "Will users of non-genuine Windows be blocked from receiving security updates?")

It also appears that the Malicious Software Removal Tool doesn't require validation either.

So you can run the same malware removal tools on pirated versions of Windows as well.

Re:Spread of Windows

No. Regardless of genuine status, users will not be denied access to critical security updates. Users who have not validated their computers as genuine, however, will not be able to install many updates, including Internet Explorer 7.0 and Windows Defender. Microsoft strongly recommends that users of non-genuine systems correct their problem immediately.

Re:Spread of Windows

[JackMeyhoff]

Actually, it is. Its not certified for such use when there is a network card installed.

Re:Spread of Windows

[Anpheus]

Made up statistics* count for around 9/10ths of the reason you say that.

* over the past six months, the number of made up statistics has TRIPLED! wiki it!

Re:Spread of Windows

[vtcodger]

***Anyone else think that the rather lax enforcement of Windows piracy is helping to create the possibility of massive botnets?***

Why would anyone think that? Windows is Windows whether it's pirated or paid for. Is a drunk weaving through heavy traffic at 135kph any more or less of a menace if he's driving a stolen car rather than a car he "owns"?

Re:Spread of Windows

[Keruo]

> It also appears that the Malicious Software Removal Tool doesn't require validation either.

Fixed your link.

Re:Spread of Windows

[LO0G]

So? First off, the IE team claims that IE7's going to be available without WGA. So part of that is no longer valid.

Also, I was responding to a claim that Microsoft witheld security updates for people who were running pirated versions of Windows. I provided a link from Microsoft that seems to indicate otherwise.

Why is this a problem? Are you saying that Microsoft is lying in their post?

Re:Spread of Windows

[Gerzel]

Balmer is a master of his art. There would be no dodging.

Re:Spread of Windows

[diskis]

That argument is getting a bit dated. Linux is used more and more as servers. More processing power, more bandwidth and not so competent administrators. I know a lot of machines sitting un-updated on 100mbit or faster. They have been sitting for years serving as storage for irc logs, simpsons episodes and funny pictures. Still they are not part of any botnets.

Re:Spread of Windows

[petermgreen]

Anyone else think that the rather lax enforcement of Windows piracy is helping to create the possibility of massive botnets?
IMO anti piracy measures are contributing to insecurity. The fact is that such measures WILL be cracked and those using cracked versions will be reluctant to install updates both from the point of view of MS possibly breaking thier system (I don't think WGA actually disables your system on XP but it does give annoying nag messages they could change it to be nastier at any time, sure you don't have to install WGA to get important updates but MS repeatedly put it back in the critical updates list every time they update it so it only takes one slip to end up with it installed) and from the point of view of possiblly giving away to MS that they are pirates to be hunted down (afaict MS hasn't actually done this yet but after the recent filesharing lawsuits I wouldn't blame people for being paraniod about it).

Anti piracy measures probablly do stop some piracy but they also mean a lot of people stick to older versions/non updated copies of pirate software to make sure they don't have problems (whether technical or legal).

Re:Spread of Windows

[petermgreen]

Huh? According to Microsoft they security updates to pirated versions of Windows.
they do kind of.

If you want to run pirate windows without getting nags and you don't have access to a good (as in allocated by MS and not shitlisted because of wide distribution) corp key you have to either crack windows genunine advantage notifications or keep it off your system. Cracking it has the downside that MS could release an update at any time.

There are two easy ways to keep windows genuine advantage notifications off your system.

1: set automatic update to prompt before installing updates and manually check the list for wga every time (you can reject it but it reappears every so often). This is probablly tolerable if it is your own machine but if you give it to someone else to use then it's not such a good idea.
2: disable automatic updates completely.

Re:Spread of Windows

[Colin+Smith]

Ah. This explains volumes about American foreign policy...

Re:Spread of Windows

[initialE]

More like the disabling of updates for pirate copies. Do security updates protect you from the internet or the internet from you?

Re:Spread of Windows

[budgenator]

Psst, It's Bob, the avitar that went underground years ago, he's the mastermind behind it, Clippy is just the stooge up front to thake all of the heat, Kill Bob.

Re:Spread of Windows

[budgenator]

Maybe they just forgot to reboot the server so the changes didn't take effect

Re:Spread of Windows

[shish]

Anyone else think that the rather lax enforcement of Windows piracy is helping to create the possibility of massive botnets? No.

Re:Spread of Windows

[zebs]

Jumpman/Mario to the rescue!

Re:Spread of Windows

[thejynxed]

The problem with your solution is:

Some security updates won't be installed even via Automatic Updates if WGA is not found to be installed on the machine. There's a programmed limit tied into a WGA check. It doesn't check if your system is genuine or not, but it checks if WGA is installed and operational. If it is, you get all hotfixes past a certain KB number. If it is found to be a defect WGA install, you only get those hotfixes that are excluded from the check. This is why Autopatcher was so useful. You could install all of those patches if WGA was present or not, because Autopatcher never checked for an operational WGA installation, and the individual hotfixes don't either. It is the MS Automatic Update service that confers with the MS update servers and performs the check.

I've found this out the hard way before I caught on to exactly what was happening, and just used Autopatcher instead for all of my Windows installations. Not that I use any pirated OS mind you, but I've had activation issues that required a funky workaround given to me by MS Support Services for WinXP Pro SP2, which made WGA say my install wasn't Genuine when it is. The issue had to do with something in the SP2 upgrade from SP1a making WinLogon do strange things and give me mystical error messages that only a Russian could possibly decipher (or some lady from China working for MS Support, as was the case here).

On a side note: I know people will probably say "Use Linux". No thanks. It doesn't do what I need it to do (I play many games that require DirectX and don't run under Wine or Cedega, and I use Citrix Metaframe, Solidworks, etc), and my hardware isn't supported via anything other than ugly hacking about in a terminal, which I'll take a pass on doing, because frankly, I don't have the time nor the inclination to do so (Mepis is the only distro that even came close to detecting most of my hardware automatically, and that was minus any networking or accelerated graphics).

It's fine to play around with on a LiveCD (and I have several distros in this form), but until it does what I need it to do aka, "Right Tool For the Job at Hand", right out of the box, it's a non-starter in my situation. Maybe some year. Either that or I need to stop using such obscure hardware (mainly it is lazy manufacturers releasing buggy or totally broken Linux drivers) and software (game devs not using OpenGL and OpenAL).

Re:Spread of Windows

[s_p_oneil]

Are you trying to say there may actually be a good side to the WGA stuff Microsoft is forcing everyone to install? ;-)

Re:Spread of Windows

[Bearhouse]

Good post, with which I agree totally, and is probably useful for some, thus 'insightful', I guess.

I've given up on windows activation, for much the same reasons as yourself. I seem to spend my weekends re-installing friends and neighbours windows PCs, and have either purchased, or legal access to, ALL the flavours of XP, (and Vista etc.)

The easiest installs (for 'office' too) are *always* the unattended, slipstreamed 'pirate' versions found on the net, (suitably checked, of course). Update the serial number, and away you go... As for linux, great for servers, but driver hell...and all the abovementioned users are already XP brainwashed anyway.

Too bad you won't get modded up, since you're:
1. 'Pro' windows, and some would say 'pro-pirate'.
2. 'Anti' linux...

*sigh*

Good

[Colin+Smith]

Now that it's down to 5 million we can all breathe a sigh of relief...

Maybe.

[khasim]

From TFA:

Then on September 11, Microsoft added Storm detection (Microsoft's name for Storm's components is Win32/Nuwar) into its Malicious Software Removal tool, which ships with every Windows system. Overnight, Storm infections dropped by another 20 percent.

Anyone have any info on whether Microsoft's tool would detect it earlier?

Oblig.

[The+Living+Fractal]

Couldn't this just be the 'eye' of the Storm?

Or is it possible that Windows boxes really are just getting more secure? Ohh shit I asked THAT on Slashdot?! Charles Stross will have my soul. /owenwilson

Re:Oblig.

[marcosdumay]

Windows boxes are getting more secure all the time.

But we can only guess when they will be ready for widespread use...

Re:Oblig.

[rustalot42684]

IMO, Windows Vista is the most secure Windows yet (because of UAC). That said, compared to other systems, is Windows secure? It is certainly less secure than my Linux box. But OS security is only one half of the equation. IMO, many viruses are PICNIC (Problem in Chair, Not In Computer) problems. I think that the problem of viruses would be greatly reduced if people were less ignorant about viruses.

Re:Oblig.

[slyn]

If the boxes are getting cleaned up from Storm, then they have all the newest updates on them, don't they?

It was my understanding that when Storm infected a PC it downloaded and installed all the security updates for windows. If only 10% of the PC's originally infected still haven't been cleaned up and the apex of infections was 15M, then 12.5M boxes that might otherwise not have had the updates now do.

Re:Oblig.

[ConceptJunkie]

Yes, unfortunately, it's a toss-up between whether Vista is more secure because of better security features or it's more secure because no one uses it.

Re:Oblig.

[morgan_greywolf]

I think that the problem of viruses would be greatly reduced if people were less ignorant about viruses.

I think the problem of viruses would be greatly reduced if people were less ignorant about how their behavior causes them to get viruses.

Windows can be an okay operating system security-wise, if people didn't do these things:

Run Internet Explorer: IE is buggy and and insecure. If everyone replaced it with Firefox with the NoScript plugin installed, you could watch how much fewer viruses there would be.

Run Outlook or Outlook Express: Mail programs shouldn't have scripting abilities that can take control of the entire OS. Watch how much fewer viruses would exist if people would run Thunderbird instead.

Download programs from untrusted sites: Lots of random malware, spyware and viruses are installed because users the latest 'cute' or 'cool' thing their friend told them about.

Enable VBA macros to autorun in Microsoft Office documents. Turn off macros.

Run as Administrator: Either learn how to use your OS properly or upgrade to Vista. Seriously.


Eliminate these behaviors and you will have removed the most common vectors of infection on Windows machines.

Re:Oblig.

[courseofhumanevents]

In other news, we've discovered that the national death rate would be decreased significantly if people would stop dying.

Re:Oblig.

[lattyware]

That is what you think...

Re:Oblig.

[calebt3]

*my* Windows box has never been "hacked". Give me a few more minutes.

Re:Oblig.

[budgenator]

Like anybody is realy going to run UAC exceoppt Linux geeks who don't know any better, of course you can actualy run that way in Linux.

Re:Oblig.

[rustalot42684]

UAC is set up by default. Even if user foobar is in the admin group, they still get to use UAC, they just don't have to put in their password.
The problem is that so many legacy apps need to run as root that many users will become accustomed to just clicking yes every time. See the user education bit in my post.

Re:Oblig.

[budgenator]

Windows XP SP2 has been out for long enough that their is no excuse for an application that can't run in a LUA environment; the only company that has gotten it right is Sun Microsystems, installing Java is standard for how all software should install on windows. In most software you have to jump through so many hoops to get it installed that most people give up and just run everything as admin. Here's the killer aunt Millie goes to a website and needs to install a plug-in to see all of the content, let's say Flash for Grins and Giggles.
She kicks yes and saves to the desktop and now she's stuck it won't install, the easy way around it is to switch users to admin, (wait for all of the crapware to auto-load) and try to remember what site and plug-in she needed and of course she can't. So Now She gets and inspiration, and clicks though my computer, Documents and settings to her user area and access is denied! Curses, not she whiches users back and try to right click the installer and chicks run-as admin, still admin has insufficient privileges to open the file, Aunt Millie is stuck and from now on Aunt Millie is going to run as Admin because its easier and her computer is going to be part of the next bot net.

The problem is you say so many legacy apps need to run as root but in windows their is no root, root is the trusted superuser in *nix, in windows there is admin, the untrusted semi-superuser. Root is your Priest/Rabi Doctor and Lawyer all rolled in to one in the computer context, root is privileged as in Dr-patient privilege, Admin is the asshole one level up trying to get leverage over you or the car mechanic in a one horse town ready to cut your fan belt in the blink of an eye as you pass through.

OBTW do you know how to install software saved on a LUA's desktop? Took two years but I figured it out.

Re:Oblig.

[petermgreen]

IE is buggy and and insecure.
not that firefox is much better, iirc there are loads of reproducable crash bugs that aren't investigated because they don't affect enough users. I wonder how many of those would turn out to be worse than just crash bugs when investigated properly.

noscript may help a little but most users are just going to disable it for any site they want to visit that doesn't work properly without scripting.

Re:Oblig.

[morgan_greywolf]

NoScript helps most because it stops scripts on other domains (like ad servers) than the one you're looking at.

Re:Oblig.

[petermgreen]

true but if use of noscript in that way becomes common things will just have to be changed to include the ad servers javascript serverside rather than clientside. That would make the security situation even worse.

Re:Oblig.

[morgan_greywolf]

True. But at that point you can just add in AdBlock Plus, which is, admittedly, a bit more involved than NoScript, but with automatic rule updates and people constantly working to add in new rules, it's gotten a whole lot better.

Re:Oblig.

[Whatanut]

What the hell kind of windows setup are you running that the admin account can't get to all the user areas under Documents and Setttings. By defeault there is nothing to stop this. The admin account has just as much freedom of the system under windows as root does under Linux. Even if you go change the default settings on a file so that only the LUA has rights to blink in it's general direction you're not going to keep the admin user off of it. Just take ownership of the file if you really want it.

Re:Oblig.

[petermgreen]

That sounds very much like the situation with virus scanners, yes they work to a point but they won't stop crap that is newer than your latest definition update.

don't be sure

[phantomfive]

The researcher determined this with a spider he created to crawl the storm network. How does he know that the network is shrinking and not just being partitioned?

Furthermore, the storm virus is known to be updatable. Is it possible it was updated to be even less obtrusive, thus escaping detection in other ways? Maybe it has gone into dormant mode, because the creator doesn't need so many computers at the moment.

One interesting innovation of the worm, quoted from the article:

"If you're a researcher and you hit the pages hosting the malware too much... there is an automated process that automatically launches a denial of service [attack] against you," he said. This attack, which floods the victim's computer with a deluge of Internet traffic, knocked part of the UC San Diego network offline when it first struck.

I think some part of me must be sick or something, because when I read about this I almost hope the worm will get bigger, become unstoppable, and reveal windows for the insecure piece of crap that it is. Linux, BSD, OSX, Solaris, and heck even Minux could clearly stand up to a threat like this much more easily than Windows.

Re:don't be sure

[John+Hasler]

> I think some part of me must be sick or something, because when I read about this I
> almost hope the worm will get bigger, become unstoppable, and reveal windows for the
> insecure piece of crap that it is.

Already been done. Nobody cares.

Re:don't be sure

[MoogMan]

Linux, BSD, OSX, Solaris, and heck even Minux could clearly stand up to a threat like this much more easily than Windows.

Bzzzt! Wrong. There are many attack vectors for Storm's entry into someone's computer (one of which is indeed an OS vulnerability). AFAIK, the majority of the attack vectors rely on people downloading some bootstrapper program via their email or web browser. Nothing is going to stop this happening to a "normal" user on *NIX.

Re:don't be sure

[Master+of+Transhuman]

OTOH, the bot has to communicate out. As a normal user not running as root, that means it has to open a port. Many Linux distro firewalls - and some Windows third party firewalls, but not the standard Windows firewall - block incoming and outgoing ports by default unless explicitly opened. If the bot can't commmunicate, it's worthless to the botnet.

Of course, the Worm might be smart enough to trick the user into opening a port by popping up a message and requesting it masquerading as a legit program - but I haven't heard of the ability in it. Therefore it would seem likely that a version compiled to run on Linux wouldn't work.

Another possibility is that the bot would know a way to fool any software firewall to let it out. Most of the Windows software firewalls can be easily bypassed. Only Comodo manages to prevent most of the more common techniques. I'm not sure if Linux software firewalls are as easily bypassed.

Any distro whose firewall that allowed local initiated Web contact by default, however, probably would allow it out.

Bots are a good reason to have a hardware firewall that blocks everything except explicitly opened ports in or out.

Re:don't be sure

[Master+of+Transhuman]

I was wondering about the possibility of it being partitioned myself.

The botnet has always been hard to figure out the size because of its policy of only allowing a limited number of immediate connections in its net. Partitioning and assigning control of sections to other people - and this would presumably entail cutting connections with other portions of the botnet completely in order to enforce "ownership" - would presumably make it look smaller than it is.

This guy may also be overconfident in the crawling ability of his tool.

Re:don't be sure

[phantomfive]

Heh, I knew someone was going to trot out this old troll. The point is, it would be much easier to secure unix-type systems than windows-type systems. Compare Microsoft's budget to that of OpenBSD; now tell me, which is more secure?

For it to be effective as a virus, it is going to have to install itself to startup somehow. What is going to do, add a line to my .bashrc? Add a script to /etc/rc.d? It can't do that, only root can, and I don't browse the internet as root. Nobody does.

You may say, "it will prompt you for the password and idiot users will just type it" but you are showing your Windows bias. On windows, you get so many popup prompts that many users just ignore them and do whatever they ask. OSX has shown that it can be done differently, however. Ask any average OSX user what they would do if a downloaded attachment asked them for their root password, and they will say something to the effect of, "Freak out and delete it immmediately." It's because the warnings and prompts in OSX don't become annoying.

Security on Windows is hard. For any vulnerability, it takes a lot more effort to fix on Windows than a similar vulnerability in a Unix system. In unix-world, fixing the OS is an option.

Re:don't be sure

[Sancho]

Which Linux firewalls block outgoing connections by default? In my 12+ years of using Linux, I have never seen this behavior configured by default.

Re:don't be sure

[Sancho]

With Windows, almost everyone runs as Administrator, so the software doesn't have to do anything special to hook into the OS while beings stealthy. On Linux, being stealthy (against most non-knowledgeable users) would just mean adding a line to .xinitrc or .bashrc. If you set your parents up with Ubuntu, would they know to look there? Would most people who aren't deep into the Unix culture?

Viruses on Linux would be easier to clean as long as the user isn't running as Root all the time (and the virus doesn't wait for them to legitimately type in their password and then sneak in on the 5-minute timer that sudo has), but the trojan infection vector would be just as easy.

Re:don't be sure

[phantomfive]

See, this is where it breaks down. If you are clever, I'm sure you can think of half a dozen ways to defend against this. The easiest I can think of in 10 seconds is to replace the .bashrc/.xinitrc with something standard every time a user logs in. A bit annoying, maybe; but effective.

This is why unix is so much easier to harden. Because of it is well-designed, there is much more flexibility when trying to think of a defense.

Re:don't be sure

[Master+of+Transhuman]

I don't know, I assume some of them do. I know most firewalls are configured to allow outbound by default, but I would assume some of them don't - or can be configured not to, so it would depend on the distro to set the default.

If none do, then Linux definitely is no better than Windows in this regard.

Re:don't be sure

[Sancho]

Are you suggesting that the user not be able to run things at startup? That would certainly work. You could also restrict what can be run to only things which have been approved by the vendor (in any particular OS), but it doesn't mean that it's a good solution.

Keep in mind that Windows could re-image itself every time that the computer is restarted, or every X hours. The registry startup entries could be cleared, each boot. The problem is that you lose functionality with any of these solutions. They're great for corporate environments, but they don't work so well for individual users at home.

It's not hard to stop malware from running on computers. It's just hard to do it while maintaining the freedoms that current users enjoy.

Re:don't be sure

[petermgreen]

I don't know, I assume some of them do. I know most firewalls are configured to allow outbound by default, but I would assume some of them don't - or can be configured not to, so it would depend on the distro to set the default.
Blocking outbound by default would make a distro practically unusuable for anyone who didn't understand firewall configuration.

Re:don't be sure

[petermgreen]

and the virus doesn't wait for them to legitimately type in their password and then sneak in on the 5-minute timer that sudo has
It has always seemed to me that it would be pretty trivial for malware to hijack a users use of su/sudo/gksu/similar. The easiest way would be to modify the users bash profile and desktop menus so that instead of running the real elevation tool the users ran a program supplied by the malware. This program would then use the information it gathered to do both what the user wanted and what the malware wanted.

Re:don't be sure

[Sancho]

I'm not trying to be rude here, you probably shouldn't make a statement of fact based upon your own assumptions.

I've mostly used Debian-based Linux distributions, though I've also used Gentoo. I've installed Red Hat's enterprise solution, though I've never used it on the desktop. None of these have any special firewall beyond Netfilter (commonly called iptables.) Some are configured to block inbound packets that aren't part of an established connection, some don't have any rules by default (and use implicit pass in/out), but of the three, none have had implicit outbound-blocking. I've also never seen a Linux firewall that worked like ZoneAlarm (blocking by default, but alerting you and offering to let you allow the connection.)

No better than Windows on this front? Well, only as far as the defaults go. You're quite capable of blocking egress (outbound) traffic in Linux, you just have to turn it on yourself. In XP, you aren't even capable of blocking outbound traffic without third-party software--the Windows firewall only blocks incoming connections (as far as I can tell--since I don't run Windows myself, my experiences are limited to times when I've had to learn enough to support a user.) So Linux is a little better--at least the capability exists.

Re:don't be sure

[Sancho]

sudo, at least, needs to be suid. A trojan would have to act as a wrapper, which could certainly work, but it would probably be more suspicious than /home/bin/happyfungame, which would just start a background process and wait for the user to run sudo.

Then again, we're talking about the more ignorant userbase, so a wrapper in their home directory might go unnoticed.

Re:don't be sure

[lachlan76]

Just chmod .bashrc, .bash_login, etc. to 500, so that only root can make things run on startup.

Re:don't be sure

[petermgreen]

Unless you go looking at the list of environment variables (something that most people only do occasionally afaict, probablly far less often than you use su) you won't notice something new on the start of your path and I very much doubt you will notice a binary sitting in some deep subdir under your homedir or even somewhere under /tmp .

for menu based stuff it is even easier, are you really going to notice a couple of menu item customisations?

Re:don't be sure

[flyingfsck]

"Freak out and delete it immmediately." Nope - in my experience, OSX users have no idea what their root (or for that matter any) password is. They logged in some time a few years ago, and never rebooted or logged out again, so they just don't know - got it on a piece of paper in a drawer somewhere...

Re:don't be sure

[Colin+Smith]

Already been done. Nobody cares. Yet.

Re:don't be sure

[DarkOx]

I can see it being perfectly resonable to do that on work station at a business. The bad news is it won't make sense to do on a home PC. But try locking down windows PCs in a small or medium size shop where peoples job functions require a wide range of software. Chances are there is something every organization job function in that business requres that WONT run right on a hardened windows box.

There is just to much legacy on windows, period. The security architecture is probably *OK* now if best practices are employed. The trouble being because of all that legacy and history of not doing things right, best practices are often impractical on Windows. The only way we will ever see is if people switch platforms en mass. They need to switch to something with either a good legacy or something new and designed for the modern networked world from the ground up. Microsoft would be doing everyone a big favor if they followed Apples lead a disposed of that legacy. They could provide an emulator to run older software, rather then a layer like WOW wich is not a full sandbox and does little to actualy remove the risks.

Re:don't be sure

[innocent_white_lamb]

That won't work. Try it. Write a file into your home directory, chown root.root, chmod 500.
 
You can still delete it and replace it with no difficulty.
 
You could possibly accomplish what you want to do with chattr and make it an immutable file.

Re:don't be sure

[jaxtherat]

The default configuration of Ubuntu server does...

Re:don't be sure

[http]

...and I don't browse the internet as root. Nobody does.

Linspire.

Re:don't be sure

[trifish]

It can't do that, only root can, and I don't browse the internet as root.

Uh, ever heard of privilege escalation vulnerabilities? FYI, these affect Linux too (both kernel and user-space apps like Firefox).

Re:don't be sure

[trifish]

With Windows, almost everyone runs as Administrator,

You mean Windows XP, not Windows in general. As on Vista, almost everyone runs as non-admin.

Re:don't be sure

[Sancho]

Almost.

I recently bought a new off-the-shelf computer with Vista. It was a Major Brand, so I imagine that there are a lot of this particular computer out there.

On this computer, Vista is set up such that the first user you create is in the Administrators group. What this means is that you never have to enter any passwords to do administrative tasks--you just have to click "Continue" a few dozen times. The user will probably do this to get back to whatever they're doing without even reading the prompt or understanding it. They're still admin, they just have an extra click in order to do system tasks that XP users don't have.

Now the same thing could be said of having to enter a password--that they'll just blindly do it. If that's true, then Linux is probably even less secure than Windows, since with Linux, you don't have to enter the password for 5 minutes (the default) after the last time that you ran sudo.

Re:don't be sure

[Deanalator]

First of all, this is a case where nix is no more protected than windows. I would even claim that these networks were started in nix land in the mid 90s, and ported to windows due to the much larger user base.

Also, the researcher is spidering multiple partitions. When one of the storm researchers gets a new variant with a new key, they extract that key, and then spider that partition. They may not have all of them, but from what I understand they have enough sources that they probably have most of them.

Re:don't be sure

[deviceb]

"Maybe it has gone into dormant mode, because the creator doesn't need so many computers at the moment."
that was my thoughts as well.. i do not want it to shrink either. I love the thing.. I hope it gets some AI and takes over the net/us/world/universe.

Re:don't be sure

[ChronoReverse]

Even with that said, the firewall in Vista has been updated to also allow outbound blocking in the same manner of Linux. That is, it doesn't by default.

Re:don't be sure

[Sancho]

I just did an install of ubuntu 7.10 server:

root@ubuntu:~# iptables -nvL
Chain INPUT (policy ACCEPT 63 packets, 7736 bytes)
  pkts bytes target prot opt in out source destination
 
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target prot opt in out source destination
 
Chain OUTPUT (policy ACCEPT 55 packets, 5958 bytes)
  pkts bytes target prot opt in out source destination

Re:don't be sure

[MoogMan]

I agree, any flavour of BSD and the majority of Linux distros are shamelessly secure out of the box, whilst Windows is not. This is not the point I was making.

The issue is this: People (i.e. your average Joe). A normal user will fall for the same phishing scam regardless of the OS they run on. Once a rogue program gets onto your system, it really doesn't matter if it hasn't got root access. A few trivial solutions that come to mind, with a bit of thought I'm sure you can come up with many more:
- Adding it to the primary users' X session startup program.
- Adding it as a user cron job that runs on reboot.
- Some form of web browser plugin that gets invoked and persists after a user closes the browser window.

And of course, executables do not need to be root to communicate with the outside world (> port 1024 of course).

Viruses or Bots do not need to be root, I don't know why many people think this. Security is not a programming problem. Security is primarily a people problem.

(And FWIW, I have used Linux as my primary desktop for over 7 years, I can assure you I have no Windows bias, I'm just being a realist. I can't comment on Mac OS-X, I've not used it for longer than about 30 mins)

Re:don't be sure

[trifish]

Um, I'm not sure what point you are trying to make. Again, do you admit that your blanket statement was wrong? I mean this one: "With Windows, almost everyone runs as Administrator"

If you said Windows XP/2000 you would be right. Because on Vista almost everyone runs as non-admin and can comfortably elevate with per-app granularity if needed.

Re:don't be sure

[Sancho]

No, see the point is that you're still running as admin--it's just that administrative duties still require an extra (few) clicks. If you think that the extra clicks makes it more secure, then I'm afraid we won't be finding much common ground in this discussion.

Re:don't be sure

[trifish]

You know what? You either don't know what you're talking about, or you do (and then you are... a good old anti-MS troll).

the point is that you're still running as admin

You're not. Read something about it.

If you think that the extra clicks makes it more secure

Yes, it does.

Re:don't be sure

[Sancho]

the point is that you're still running as admin

You're not. Read something about it. You read something about it. If you weren't an administrator, you'd have to input the administrator password in order to elevate the privileges. It may seem like semantics, but it's an important difference. UAC when you're an administrator is kinda like aliasing "rm=rm -i" when you're root. You're still root, but the system makes sure that you wanted to perform that action.

Re:don't be sure

[trifish]

If you weren't an administrator

You are not an administrator. Look: If an application needs admin rights, you may allow it to run under an admin account, but event then you remain non-admin. Do you see it? Technically, you are never admin under Vista. That's the brilliance of the solution. OS X and Linux don't even come close to this.

Re:don't be sure

[Sancho]

Could you provide technical documentation to support your claim? Because from my personal experience, it's just not true.

UAC (the bit of Windows that darkens the screen and makes you click "Continue" to perform administrative actions, and which alternatively asks for a password if you aren't already running as a user who has administrative rights) is just a bit of code put between the UI and the underlying system calls. It's quite easily removable (reference here: http://blogs.msdn.com/tims/archive/2006/09/20/763275.aspx). If you remove UAC, you're left with an operating environment very similar to XP, in that administrative actions go completely unchecked by the OS, as long as you have permission to perform the action. If you don't have permission (for example, you're running as a non-administrator, or you don't have some particular token that provides the permission), then you will simply be denied access to whatever you were trying to do.

UAC was touted by Microsoft as the end-all be-all of security, and it looks like you've fallen for this hook, line, and sinker. The truth is that it's great in theory, but in practice, it's just one more dialog box for users to click through whenever they're trying to do something on their computer. In theory, UAC prevents unknown processes from subverting the system because the user will know that they didn't initiate the action that prompted UAC intervention, and they will click cancel. In practice, they'll want to get their stupid elf-bowl game working or read the e-card that a random stranger sent them, so they'll click continue so they can get back to it.

But the key, and what seemingly lead to this absurd thread, is that they are still running as administrator. It may not be the administrator username, but that's just a label. The privileges are what matter, and in Vista, they've got the privileges (barring group policies or someone intelligent setting the computer up so that they're running as an unprivileged user.) An extra click to perform administrative tasks does not mean that they aren't running as administrator. I don't understand why this is so hard to understand.

I'd love to be proven wrong. I'd love for Windows to become more secure, because simply, it would make my life easier. Please prove me wrong, but actually prove it, because the words "Technically, you are never admin under Vista," really hold no water.

Re:don't be sure

[trifish]

Could you provide technical documentation to support your claim?

Yes. It's right from insiders (MS security guys) Michael Howard, Steve Lipner
who wrote the book "The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software", where in Part I, Chapter I, you can find this quote:

Much noise has been made about not running as an administrator or root account when operating a computer. We authors are vocal commentators about this issue, and this has helped force fundamental changes in Microsoft Windows Vista; users are, by default, ordinary users and not administrators. Even members of the local Administrators group are users until they are elevated to perform administrative tasks.

Re:don't be sure

[trifish]

Before you start doubting, the book I quoted from was released in 2006, when Vista had been feature-finished (beta testing). More about the authors:

Michael Howard, CISSP, is a Senior Security Program Manager in the Security Technology Unit at Microsoft.

Steven B. Lipner, CISSP, is Senior Director of Security Engineering Strategy in the Security Technology Unit at Microsoft.

Your anecdotal "insights" can hardly compare to these guys.

Re:don't be sure

[Sancho]

That's fair. You've got a citation that says it. At least you aren't talking out of your ass.

I'm going to stand by my earlier statement, though.

An extra click to perform administrative tasks does not mean that they aren't running as administrator. I realize now that I should have stopped when I said:

If you think that the extra clicks makes it more secure, then I'm afraid we won't be finding much common ground in this discussion. and you said

Yes, it does

Re:don't be sure

[trifish]

Of course it does protect you, that is, an informed user (not a click-happy idiot). You know, a click-happy idiot will also happily enter his admin password whenever he is asked to do so by OS X or whatever. There's no difference. Why make it more difficult when it can be much simpler for the informed user?

Anyway, the point is that on Vista people run as non-admins by default and can easily elevate with per-app granularity. Easy, neat, and secure enough. I am a security aware power user. On Windows XP malware can infect my OS without me noticing. Whereas on Vista I will see the UAC prompt and will know if it's appropriate to click Allow (for example, a browser should never really need to elevate). You get the idea. Vista's UAC works and it's orders of magnitude more secure than XP.

Re:don't be sure

[Sancho]

Yes, but the amount of protection you get is based almost solely upon your knowledge as a user. Here's a hint: most of the people out there are click-happy idiots.

I think where we really got off track was in post #21085803, where you suggested that That's the brilliance of the solution. OS X and Linux don't even come close to this. The semantics argument over what qualifies as administrator devolved from there, but you've successfully brought the original point back into focus. Anyway, the point is that on Vista people run as non-admins by default Semantics aside, the essence here is true. That is, you can't just perform administrative actions willy-nilly, or more specifically, malware can't do it. It requires that extra click.

Of course, the same can be said of OS X and Linux.

and can easily elevate with per-app granularity. And again, the same can be said of OS X and Linux.

Vista's UAC works and it's orders of magnitude more secure than XP. Again, only if you've got a clue.

Of course, most people with clues won't get infected in the first place. I used XP for years with no outward signs of infection (that is, no unaccounted for traffic in the external firewall logs.) If there was malware, it wasn't talking to the outside world, and it didn't delete anything that I noticed. That leaves a very small group of people who will notice UAC and use it correctly--that is, people who know enough to know that they didn't perform an action, and they don't just want to get back to what they were doing enough to click "Continue." In my years in IT, I've come to the conclusion that most people don't fall into this category.

Re:don't be sure

[trifish]

As I already said, yes, UAC isn't going to help click-happy idiots, which most people are. However, it's the same for OS X and Linux, which require the user to enter his admin password. Most people will enter the password.

Hence, the only difference between Vista and the *NIX systems in this regard is that on Vista it's much more comfortable and much faster (one click). Security-wise, there's no real difference.

Re:don't be sure

[Sancho]

Hence, the only difference between Vista and the *NIX systems in this regard is that on Vista it's much more comfortable and much faster (one click). Security-wise, there's no real difference. Incidentally, if you aren't in the Administrators group on Vista, you do have to enter your password. I'd consider that a slight security enhancement. If a bug in UAC is ever discovered which allows for the program to simulate a click on the UAC control, it would mean the difference between a rooted system and a secure one.

Anyway. I took most umbrage at the notion that Vista's security was something that "OS X and Linux don't even come close" to. Vista took cues from OS X and Linux, and managed to handle it in a way that didn't break most applications that assume Admin privileges. I don't think they really improved on the concept, though.

Re:don't be sure

[trifish]

If a bug in UAC is ever discovered

That's a red herring comment. If a bug is discovered in sudo... Do I have to continue?

Re:don't be sure

[Sancho]

Please do. Make sure you end with, "you still have to enter your password." A bug in sudo can't allow malware to just click right past the prompt.

Re:don't be sure

[trifish]

Please do. Make sure you end with, "you still have to enter your password." A bug in sudo can't allow malware to just click right past the prompt.

Of course, there can be an exploit in sudo allowing you to bypass password prompt. You've just proven that you are not worth my time, as you don't know much about security exploits. You are yet another naive fanboy without sufficient knowledge.

Re:don't be sure

[Sancho]

Ah, and so it comes out. What you don't realize is that we can audit sudo for security. We can't do the same for UAC. That's where the difference is.

What's more, if we don't feel like auditing sudo completely, we can at least audit the (rather short) code path from execution to password request. It really is a very small amount of code (yes, I've looked at it) and let's face it--it's the part that matters most from a security perspective. Once you've entered your password, the game's pretty much over.

*shrug*

I'm not sure who doesn't understand security at this point, but I'm growing tired of your insipid Microsoft fanboyism. See? I can call names too.

Good day. I wish I could say good discussion, but you've been pretty belligerent the whole way through.

Re:don't be sure

[trifish]

What you don't realize is that we can audit sudo for security.

Sure you can audit sudo. And you claim that it means that there can be no vulnerability in it allowing an adversary to bypass it? Well, you made me laugh. As I said, you truly are a naive fanboy who doesn't know much about security.

Don't bother replying, I won't read it.

Re:don't be sure

[trifish]

And as for me being an MS fanboy -- do you really believe that an MS fanboy would know what sudo is? Saying that Vista's solution is more comfortable than that of Linux and OS X makes me an MS fanboy? Isn't it rather obvious that it's more comfortable to do one click than to enter a password? Oh, well. This was my last message to you. Don't bother replying, because I won't read it.

Bullshit

Myself and some colleagues, along with a couple of anti-malware sites have been tracking Storm infections as best we can over the last couple of months. We've mostly been using honeypots, trapping SMTP traffic and utilizing some nslookup scripts to mine Storm's fast-fluxing domains. It has not shown any sign of shrinking, particularly not by a factor of 10.

The only people who have ever estimated its size to be anywhere near 50 million hosts are paranoid tin-foil hat wearing security analysts and journalists looking to generate some ad revenue with a shocking headline or two. I've never seen any solid evidence pointing towards Storm being larger than 2-3 million hosts, so even assuming there is an exact science at work here, 1.5 million is far from a 10th of 2-3 million.

This phenomenon would be a lot easier to combat if people would stop spreading bullshit stories such as this.

Re:Bullshit

[sg_oneill]

Whatever the case is, its a nasty piece of work. Theres precious little that'll stand up to that thing focusing fire on a target.

Re:Bullshit

[vtcodger]

If you read the article, the belief that the storm botnet is shrinking is based on the fact that the guy has a tool for actively crawling the Storm network. His estimates are based on the number of machines he can see vs the number that he used to be able to see. He agrees with you that there never were 50 million machines in the network BTW. He says maybe 15 million total over time and most of those have been deloused.

Since a tenfold reduction in the number of infected machines seems sort of optimistic, my guess would be that you might be closer to right than he is and that parts of the network might be hidden from him nowadays somehow. But what the hell do I know?

Oblig Inverse

[hksdot]

I for one bid farewell to our swarm intelligence worm overlords.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:looking for details on storm botnet control

[bucky0]

From what I remember, there's no central IRC control. The bots all join in a p2p network and share files with commands to be executed. The herder uploads a command file with a specific (spoofed) hash, and the bots spread them over the P2P network to the whole network. The reason noone's been able to pull the plug is because there's no central IRC server that people can target, the commands are just files on a p2p network.

One question

[edxwelch]

It says that you get infected with the storm worm by clicking on a link in an email message. But it that an IE security hole? What happens if you use firefox? Are you safe?

Re:One question

[tinkerghost]

If you launch an exe file, you launch the file - it's a pebkac defect not a programming one. It's independent of both the software & the OS.

Re:One question

[petermgreen]

my understanding is that you get taken to a page that tries a bank of browser exploits (I don't know if they are all for IE or if there are some FF ones in there too) until one works. If they all fail then it tells the user to download and run an exe.

Mac and Linux users

[gillbates]

Just breathed a collective sigh of relief...

Oh wait, maybe they were just rolling their eyes and sighing. Honestly, don't mean to troll, but you Windows users put up with so much trouble an annoyance just so you can avoid learning how a computer actually works...

Methinks you guys would be better off just biting the bullet and switching. Sure, Macs are more expensive, and Linux has a steep learning curve, but isn't it worth avoiding all of the frustration you're going experience over the rest of your tech lifetime? Or are you one of those folks who relishes the semi-annual Windows reinstall? Perhaps you like paying an annual license fee to keep your computer from getting infected with a virus?

When you think about it, even if you don't factor in the cost of your time, Microsoft Windows systems are easily the most expensive systems to run on the planet, and the least useful (unless you expect your corporate users to play games all day...) Microsoft has been leveraging fear of the unknown to blackmail and intimidate non-technical users into supporting their monopoly, and the only winners I see in the whole thing are Microsoft and Intel. The users aren't any better off, and sysadmins risk their careers (not to mention their marriages!) on the capricious reliability and security of Windows systems.

But I guess that's why there's an old saying: Fool me once, shame on you. Fool me twice, shame on me . Microsoft fooled me once. I'm not getting fooled again.

Re:Mac and Linux users

[TheRaven64]

Just breathed a collective sigh of relief... Oh wait, maybe they were just rolling their eyes and sighing. No, we get spam from Windows zombies the same as everyone else.

Re:Mac and Linux users

[Torvaun]

Windows can be secured. I've got an XP desktop for gaming, and I run Linux on my laptop. Neither of them get viruses. My protection suite is all free software, so there's no annual fee there. And, if enough regular people switched to something with a Unix base, they'd have virus issues too. There are viruses and rootkits for systems other than Windows. They aren't prolific because the average moron who clicks everything is on Windows.

Yes, those systems are more secure than Windows. No, they are not secure enough to deal with the assault of a wave of moronic users. Feel free to dream of an exodus away from Windows, but understand that nothing will change, even if your dream comes true.

Re:Mac and Linux users

[bigstrat2003]

Honestly, don't mean to troll, but you Windows users put up with so much trouble an annoyance just so you can avoid learning how a computer actually works... That's a pretty big troll for "not meaning to troll". Using Windows is not a barrier to knowing how computers work. Hell, you wouldn't want me to go into my rant on how OSX's ui is dumbed-down compared to Windows, and even I'm not arrogant enough to claim that Mac users necessarily don't know how a computer works.

Sure, Macs are more expensive, and Linux has a steep learning curve, but isn't it worth avoiding all of the frustration you're going experience over the rest of your tech lifetime? You know, for all the touted insecurities of Windows, I have been using it for YEARS, and have had a virus or spyware infection once. Even that one time, for that matter, it was only because I listened to a friend's advice on a good source for a keygen (Hint: keygen.us is really bad unless your computer is running at maximum security, preferably on a live cd). That's precious little frustration I've put up with. Contrast that with the frustration I experienced with the Mac GUI I dislike a lot, or the frustration of getting Linux set up properly (example: I should not have to either learn how to manage config files, or reinstall the OS, because I picked a resolution my monitor doesn't support... all basic tasks should be easily handled by the GUI). Windows is by far the least frustrating for me.

Or are you one of those folks who relishes the semi-annual Windows reinstall? Perhaps you like paying an annual license fee to keep your computer from getting infected with a virus? Both of these are blatantly false. I haven't reinstalled my copy of Windows since I built my machine, over a year ago. At best, one could argue that I bought some time when I installed Vista (upgraded from a pirated XP). Hell, I just popped a new mobo in yesterday, and Vista managed to get all the new drivers put into place properly (a pleasant surprise, given how dicey an operation that was under XP). As for the licensing fee, unless you mean a volume license or something (and there's no indication you do), you pay for Windows once per computer. Doesn't sound unreasonable to me.

When you think about it, even if you don't factor in the cost of your time, Microsoft Windows systems are easily the most expensive systems to run on the planet, and the least useful Macs are more expensive, as you already noted, and usefulness is pretty much equal across all the platforms. Macs have good design apps, Windows has its own apps, not to mention games, and Linux has good server apps. These are all useful for different groups of people.

The users aren't any better off That, sir, is entirely a matter of opinion, and many disagree with you. Many agree with you, too, but it hardly qualifies as some sort of statement of anything close to fact.

sysadmins risk their careers (not to mention their marriages!) I somehow doubt it's a risk to a sysadmin's career to support whatever software the company he/she works for uses, but maybe I live in the world of sane employers. God only knows how it jeopardizes marriages, I guess you figure that Microsoft is just that damn evil?

Re:Mac and Linux users

[creativeHavoc]

I wonder how many slashdot windows users are infected. I would venture a guess that there isn't very many. Computers are as smart as their users in a lot of cases, and most often that goes for security as well.

Re:Mac and Linux users

[Blakey+Rat]

Honestly, don't mean to troll, but you Windows users put up with so much trouble an annoyance just so you can avoid learning how a computer actually works...

1) What trouble am I putting up with? My Windows computer doesn't have Storm on it.

(To be a snarky devil's advocate, even if my computer did have Storm on it, the entire point of viruses like Storm is to hide themselves from detection, so it wouldn't actually cause me much trouble.)

2) Do you honestly believe that the average Mac user knows more about how a computer actually works than the average Windows user?

Methinks you guys would be better off just biting the bullet and switching. Sure, Macs are more expensive, and Linux has a steep learning curve, but isn't it worth avoiding all of the frustration you're going experience over the rest of your tech lifetime?

What frustration? My Windows computer doesn't have this virus. It works exactly how it should.

Or are you one of those folks who relishes the semi-annual Windows reinstall?

Why would I do that?

Perhaps you like paying an annual license fee to keep your computer from getting infected with a virus?

Nope, I just don't do stupid shit like running programs from porn websites.

Microsoft Windows systems are easily the most expensive systems to run on the planet,

Wow, you should talk to someone who uses Sun systems.

But I guess that's why there's an old saying: Fool me once, shame on you. Fool me twice, shame on me . Microsoft fooled me once. I'm not getting fooled again.

How, exactly, did Microsoft "fool" you? Out of curiousity. Your post is almost entirely nonsense.

Re:Mac and Linux users

[gillbates]

Using Windows is not a barrier to knowing how computers work.

Um, apparently Redmond disagrees with you:

1. It hides OS files by default. So even if you want to know how your system works, the nanny OS reminds you that you shouldn't be looking in that folder.
2. It hides extensions by default. Yes, I've met Windows users who don't even know what an extension is, thanks to Microsoft.
3. It installs device drivers automatically, and hides their existence from the user.

It seems that Redmond's design philosophy is that a computer user shouldn't understand how their system works - they should just use it. Which is fine until something goes wrong, at which point the average user calls tech support at $150 an hour to clean out their registry and do a virus scan.

Sure, clearing these hurdles is relatively easy for a technical user, but they effectively keep the average user in the dark as to how their system works. And that causes all kinds of problems.

And yes, this was the point of the whole 'intuitive, easy to user' marketing blitz by Redmond - Windows was supposedly cheaper because even someone who didn't know anything about computers could use it. Problem was, someone who didn't understand computers couldn't fix them, and the early versions of Windows crashed often.

Re:Mac and Linux users

[networkassault]

This guy's right. Most Windows users are N00Bs that have no idea what they're doing behind the keyboard of the computer. There are intellegent Windows users, but the majority are people who are about as knowlegeble with computers as they are with cars. They know how to drive, but they have no idea how to perform regular maitanence.

Re:Mac and Linux users

[bigstrat2003]

It hides OS files by default. So even if you want to know how your system works, the nanny OS reminds you that you shouldn't be looking in that folder. If you're referring to hidden files, fine, although I disagree. If you're referring to the little "click here to view inside this folder" screen, that's HARDLY bad, if you're interested in seeing the files it takes one little click.

It hides extensions by default. Yes, I've met Windows users who don't even know what an extension is, thanks to Microsoft. Yeah, that annoys me.

It installs device drivers automatically, and hides their existence from the user. It shouldn't install them automatically? Hell, even as a technically-minded user, I appreciate that little service.

And in the end, it's a DAMN GOOD THING to hide the inner workings of the OS from the average user. They'd wreak havok on it, and then cry that their computer is broken, goddamn Microsoft! Moreover, no matter your stance on how these things should be handled, it doesn't change the fact that using Windows does not mean you don't know how a computer works. That was your ridiculous, trollish claim, and that's what I'm disputing.

Storm

[Tibixe]

An unstoppable botnet... quite beautiful. (Well, unstoppable as long as Windows is not exactly secure.) I know it's probably done for money, but wouldn't it be funny if ten years later someone announced he made the Storm to compute big prime numbers, and he found 10000 more than ever? :) By the way, what is the use of big computers/networks if not maths?

woops

[slyn]

gah! 15m - 1.5m = 12.5m only for extremely large values of 1.5m.

For normal size values of 1.5M the result is 13.5M.

...reduced to a Squall

[Wonko+the+Sane]

So it now has a scar on it's face, and carries a sword-gun?

Re:...reduced to a Squall

[deimios666]

Thar's a Gunblade you insensitive clod.

Re:looking for details on storm botnet control

[v1]

and redirects all P2P traffic and DNS requests through nodes acting as proxies to the "motherships"

ok so why are they not focusing on these "nodes"?

Re:90 % decrease smells fishy...

[hasbeard]

I think I recently saw something about Microsoft pushing out an update that supposed to have cleaned a lot of these machines.

Re:looking for details on storm botnet control

[nuzak]

> ok so why are they not focusing on these "nodes"?

Three guesses as to how storm supernodes get installed.

Re:looking for details on storm botnet control

[Kobun]

http://www.securiteam.com/securityreviews/6U00L1P5PY.html
Read this article.

Re:Advice Please

[iogan]

It might be diet related. Get her to eat more healthy food, and then see what happens.

Re:looking for details on storm botnet control

[Fnord666]

ok so why are they not focusing on these "nodes"?

As I understand it, they are also using fast flux DNS to move these nodes around on a regular basis. By the time you track one down, it is no longer a node in the network, just another compromised system.

Re:looking for details on storm botnet control

[v1]

That's a very interesting read. I hope the authors release a similar, more up-to-date rundown of Storm. it sounds like Curious Yellow is one step before Storm in terms of worm evolution. (or that it was the successor to it?)

Re:it's true

[calebt3]

What is C3? (besides a plastic explosive)

Re:looking for details on storm botnet control

[ymgve]

Doesn't matter that it's 40-byte. It's using simple XOR encryption, and the key is stored in plaintext inside the unpacked executable.

(If anybody cares, the current key, atleast for the botnet partition I've seen, is F3 AA 58 0E 78 DE 9B 37 15 74 2C 8F B3 41 C5 50 33 7A 63 3D E6 13 DF 6C 46 CA BE 9A 77 48 94 02 C0 F3 66 49 EE 87 21 BB.)

Re:looking for details on storm botnet control

[Gazzonyx]

How current are your binaries of this thing? I've been wanting to get my hands on this thing and tear it apart for some time now...

Fire in the hole!

[Gazzonyx]

Whatever the case is, its a nasty piece of work. Theres precious little that'll stand up to that thing focusing fire on a target. Actually, I heard that in an attempt to bolster its strength, it posts stories on slashdot that link to security companies sites. If it can't take our Mac, BSD, and *nix boxes, it'll just have to do some social engineering! Did you notice every time someone has new information about storm, we end up slashdotting it? :)

I was only kidding when I started writing this, but on second thought... manual override of slashdot via front page stories isn't such a bad idea... Let's post a story about Mcaffee as a trial run!

Re:looking for details on storm botnet control

[ymgve]

A few days old now, but these IPs are some of the ones that have been taken over to host the malware. Add http:/// to the front, and download the executables from there.

!!! WARNING - THESE SITES CONTAINS JAVASCRIPT EXPLOITS AND POSSIBLY OTHER EXPLOITS - APPROACH WITH CAUTION !!!

70.241.136.75
24.31.16.133
68.58.22.93
69.153.22.0
24.30.230.51
75.23.213.0
76.22.95.226
76.87.15.223
213.85.39.178
68.126.134.102
68.81.124.62
200.127.28.133
68.158.67.73
68.42.159.205
66.30.37.175
12.202.175.97
200.106.170.69
86.127.5.24
195.3.220.153
24.0.96.97

How is Storm spread?

[jasen666]

I've been running an unpatched XP, pre-service packs, on a VMware session on a DMZ for a while now. Obviously trying to catch something.
I think maybe my ISP might be actually protecting its customers by filtering, because this box has yet to catch anything. I was hoping to get a bot worm on it, just so I could do some packet logging, and try to see some of the command and control packets the bot uses.
I'm not sure if I'm disappointed or happy that my ISP is filtering traffic.

Re:How is Storm spread?

[JonXP]

For the most part it is spread as a trojan, only one of its methods of infection actually take advantage of a Windows vulnerability. The rest rely on user intervention.

Re:How is Storm spread?

[simong]

I had a look at a Storm spam mail a while ago and it gave a link to a fake website on a compromised machine which then prompted the user to download an executable 'for authentication', which when clicked on to run presumably became another member of the botnet, so like most viruses and scams, it requires a human element. Presumably most AV systems have now got wise to it and it wasn't as clever as originally thought.

Re:it's true

[budgenator]

C3 is a computer security rating, basically you can't use windows in a classified environment unless the network is disabled or air-gapped, only connected to computers in the same environment. C4 is the plastic explosive cool stuff, you can jump up and down on it or hit it with a hammer or you can light it to heat your food, no probmlem, just don't jump on it when it's lit or you'll be picking your toes through your nose.

Yes, but at what cost?

[gillbates]

Sure, you can secure Windows. You can also make Linux run Windows programs. If you're willing to put in the effort, I suppose you could run a web server on a C64 (Hey! Some people have!)

But the point is that it's a lot more practical to just buy a Mac if you're a non-technical user. You get ease of use, with none of the security and stability problems of Windows.

And if you are technical, and are going to put in the effort to learn a system in depth, why would you pick Windows? If you learn Linux, you can transfer that knowledge to working on UNIX systems, and the usefulness of your knowledge isn't subject to the capricious actions of a convicted felon (Microsoft). Sure, you could secure Windows, but every time Redmond releases another version, your knowledge becomes obsolete.

But there are a few additional points about Windows:

1. Windows has at least one - if not two or three - orders of magnitude more security vulnerabilities than Linux or Mac. This alone suggests that the problem of Windows security is much greater than that of Linux or Mac security, regardless of the reason.
2. A Windows system requires constant patching to remain relatively secure, and even so, there's always a small window of opportunity when even fully patched systems are vulnerable. (i.e, the time between the black hats discovering the exploit and the time white hats find it; and the time between notification and the time Microsoft is able to issue an update). Even though you are fully patched, your system still contains vulnerabilities yet undiscovered by the security researchers, but known to black hats.
3. Constant patching is not a viable option for most companies which must test patches for interoperability. In many cases, a company's own internal testing takes longer than it takes hackers to publish an exploit for the vulnerability. In such cases, their machines are never truly secure, even though they patch constantly.
4. You don't have the source code, so you can't audit it. Given that Microsoft was recently caught modifying files on their customers' computers without their consent, this is very troubling. You can't trust Microsoft to do what they say they will, nor can you verify they are.
5. You don't control what gets turned on by default, and sometimes a major, required component of Windows has security flaws (Blaster, anyone?). With UNIX like system, you can simply strip the box down to the bare minimum to achieve greater security.
6. Windows has a maze of interdependencies which often means that you simply cannot uninstall a problematic part of the OS. Take IE for example - though it can technically be uninstalled, it is required by even the most basic OS functions, which means that removing it is not a realistic option for the end user. Yet it continues to be a wellspring of security problems, made even worse by the fact that it isn't practical to run a system without it.

So sure, you can make Windows relatively secure, compared to other Windows boxes. But for the same amount of effort, you could secure a Linux machine to a much greater degree, and have a stable, trustworthy system as well. Sure, neither system is perfect, but for the effort you expend, you get a much better system by installing Linux or buying a Mac.

And I suppose a slashdot post wouldn't be complete without some anecdotal evidence. In the 10 years that I've been in the industry, every single one of my Windows using relatives have needed me to recover one of their crashed/unstable/unusably slow Windows systems. In fact, prior to XP, I had only met one person who both ran Windows and had not had it crash on them. And yet, even though Apple commands about 10% of the market, I have only once been asked if I could recover an Apple computer. And even then, it took only about 1/2 hour, and the guy didn't lose any of his data (he tried to update OS X, and botched it, but even then, he still was able to reco

Re:Yes, but at what cost?

[Torvaun]

Absolutely correct, and if it weren't for the gaming, I would likely have two Linux machines instead of one. Of course, I also earn money by doing computer maintenance for people and local businesses. These people use Windows, so it's worth my while to keep myself up to date.

Re:looking for details on storm botnet control

[josephdrivein]

From one of those:
SuperLaugh.exe 90923 (89K) md5: d87bd90e02d5137e6f5063f6fedce31e
Infected by Packed.Win32.Tibs.cu

Which doesn't tell us much, it seems to be a common way to refer to packed malware. It seems to be very small to be a peer to peer client.

The website I got it from is sick. Who wants to download a "psycho cat laughing to NO END"?

lack of updates and removal not the only problem

[Joseph_Daniel_Zukige]

I'm surprised at the fixation on updates here.

(Or maybe I just wish I were surprised.)

Updates and removal tools are kind of like shutting the gate after the cows have gone. Or, should I say, after the wooden horse has come and gone?

Seriously, guys, yeah, if it's borrowing a copy from your buddy, I suppose the probability is not so high, but there are a huge number of people running copies of MSWindows that buy from the same guys that sell v1a g ra via e-mail.

Does this have to be spelled out?

Not compatible with linux:(

[the_one(2)]

I'm afraid you can't run the storm virus in wine ( at least not the standard windows version ) when will it be the year of linux on desktop?

Pls Mod Parent Up (was Re:washingtonpost.com ...)

[siglercm]

I've no mod points. Parent links to reasonably informative article. Thx.

A Lull?

[fuliginous]

I thought the Storm worm was sufficiently capable and also directed that it could lay silent. So it could just be that they are having it lay low at the moment whilst performing an upgrade?

Vista is the cause!

[Foundryman]

I'm certain the drop is due to all the previously infected machines being taken out of service and replaced with shiny new computers running Windows Vista!
Just need to wait a while until they get reinfected and the numbers will start to climb back up.

So many comments, so many mistaken terms...

[BrianGKUAC]

I'm sorry to have to post this, but it seems like a more and more prolific problem.

Macs are computers.

The operating system that runs on them is OS X.

The company that makes them is Apple (APPL).

Linux is a kernel for an operating system, whereas Windows is a full operating system.

You don't say "Macintosh did something to OS X" for exactly the same reason as you don't say "Optiplex GX620 added more features to Windows."

If you're talking about a company, talk about the company... if a product line, talk about the product line. If you're referring to an Operating System, please reference the Operating System.

I'm sorry, I'll return to my hole now... /rant

Re:looking for details on storm botnet control

[hitchhacker]

It seems to be very small to be a peer to peer client. IIRC, Storm uses a 5 stage infection. You are only looking at the 1st stage, which would connect, via several possible fast-fluxing domain names, to download the next stage's exe. It also overwrites several system files like tcpip.sys which allow it to survive reboots.

-metric